Lessons Learned Through Conflict

Within our community, we often talk about the latest technologies, exploits, tools, and assessment strategies, but this time I am going to change the pace a little bit. One of the challenges that we face within cybersecurity, that we are never really prepared for beforehand, is dealing with emotionally difficult challenges that come with working in cybersecurity.

One way or another, you are going to face challenges that are going to catch you off guard, leaving you feeling defeated or even unappreciated in the services that you provide within the ever-growing threat landscape. These experiences can be very daunting, and make you question various aspects of your career path, which is a position no one wants to be in. More often than not, we do not experience these scenarios until it is too late, especially if you are coming into a job being green.

What I am looking to share with you all are lessons learned from conflicts that I have experienced during my tenure in this field. It is my hope that by imparting my experiences, that they may offer you a unique perspective, or aid in overcoming any similar challenges you may experience.

Whoami? Who Are You?

It is extremely easy to find yourself hidden away out of view of the people you are working with. We often find ourselves hidden behind keyboards and do not have many opportunities for face-to-face interactions. Over time, this may create a disconnect with your peers. Those within security roles are not always seen as a hero, but oftentimes as an annoyance, especially on the blue side of things. We implement controls to help keep our information systems secure, but that may also hinder the ability of others to do their jobs as quickly as they would like. 

If you have more face-to-face interactions with people, they will learn who the person is behind the security restrictions. It will help you build a rapport and make them (and you) feel more comfortable interacting with you. This can lead to dialogue where they feel more comfortable with talking to you about difficulties, and maybe more open to understanding why you have something implemented a certain way.

People tend to only interact with security when something bad is going on, giving all those interactions a negative connotation. However, if you talk to people when things are going well, it will help change the atmosphere. Turn the camera on during web chats, and go to the meeting in person when you can. Let them see and get to know the person behind the keyboard and title.

Risk… Accepted!?

As cybersecurity professionals, we understand what will happen if we do not implement efficient security controls or patch identified vulnerabilities, but that doesn’t always mean that it will happen. Depending on the risk at hand, the decision-makers within the organization will make the call as to whether a risk will be remediated. Sometimes they may decide to accept an identified risk.

Sometimes the risk may not be as important, and other times you may feel frustrated that the decision-makers are making a huge mistake and you want them to know this. This is an extremely hard pill to swallow at times, but we need to understand that we did our job, and it is best to move on.

I will give you an example of this. I had found that an organization had allowed access to RDP to a host that was being used as a jump box from the internet, without any conditional access restrictions or MFA. Once found, this was reported as a major risk. Fortunately, a proper remote access solution was already in place for this organization; it was simply a back door created by lazy administrators looking to circumvent proper workflows.

I did my homework and left the conversation feeling I nailed it, and that a major hole was going to be plugged. To my displeasure, they decided to accept the risk without a reasonable rationale. I laughed. I was pissed. I was annoyed. The more I pushed the subject, the less they were willing to listen.

Whether you are on the blue or red side of security, we are advisors to risk. If we find a risk, our job is to document it and report it through the proper channels. If an organization makes the call to accept the risk and do nothing, that is their decision as that is their role. We can either choose to let it eat away at us or move on to the next task.

What matters here is that you did what you were there to do. Should something bad come to fruition, you can come back to the fact that you tried to warm them. In lieu of waiting for things to catch on fire, consider implementing a recurring process where you review accepted risks with leadership so that you can mention your concerns again through a more formal process.

Hostile Interactions

Within this field, you are either a hero or a nightmare, depending on who you ask. This is because we all have different goals and not everyone is security-oriented, let alone cares about security. As security professionals, we care about security, and we know what will happen if you do not. Because of this mindset, we offer recommendations that in our minds will only help but depending on who is on the other end of that change, they may feel like they are being attacked.

I helped an organization that had previously allowed Domain Users to remain as a local admin on every workstation. We know this to be extremely dangerous. I produced a remediation plan to help resolve this risk by restricting local admin access to only those who truly needed it. I explained the risk and even had a demonstration prepared to show how a single phishing email could lead to the pwnage of their entire infrastructure. The point got across and there was not going to be any pushback.

By the time I was finished, there was kicking, screaming and faces were turning shades of red I didn’t even know existed. When you are in a discussion that gets heated, take note of who was upset and table the discussion immediately; nothing productive will occur if people are angry.

Give it a day or so and schedule a one-on-one with the individual(s) that were the most concerned. By this time, they have calmed down and will be more open to talking about why they got so upset with this initiative. People do not like change, especially when it’s security that changes something that has been in place for so long.

In this particular scenario, they were most concerned about processes around how software would get installed and whether or not the help desk was staffed to handle the influx of calls. Granted, this likely wasn’t their initial rationale when they were angry.

More often than not, staff will get triggered when they do not feel safe, are not being given an opportunity to voice their opinion, or do not understand what is being changed. When this happens, they will either fight or flight. Be aware of the warning signs when someone is about to blow up and you must do your best to keep a level mind and do not add fuel to the fire.

If It Is Not DNS, It Is the Anti-Virus

Bringing a little bit of tech into this discussion, as this topic tends to throw new blue teamers off guard. Anti-virus has its place in every security program; it is a valuable control that is better to have than not. However, if you are not part of the security team that implements the software, it is considered the root of all evil. AV will get blamed for every issue. Cannot access a website? It is AV. Cannot download Wireshark? It is AV. No more coffee in the breakroom? It is AV. That’s a joke, chances are I didn’t refill the pot.

This can lead to what feels like non-stop finger-pointing that can be quite exhausting. AV will get blamed without any sort of evidence or direction into the point of failure, leaving it to you to rule in/out AV. This can be avoided if we articulate our AV stance ahead of time.

For example, one contention point is how to manage scanning exclusions. There is a stigma with AV that it bogs your system and prevents functionality. While this can happen, it is not a blanket expectation across the board. Vendors do not care how expensive your solution is, if it is AV, they do not want it touching their stuff. Every implementation team for a given piece of software will have a list of AV exclusions that they want applied to their environment. If your security policy does not allow vendor recommended exclusions off the bat, it is a good rule of thumb to make them aware of this as soon as you can and be sure to articulate your concerns with adding them.

You could explain that their exclusion lists are publicly accessible and could be used as a mechanism to bypass AV controls by dropping payloads in the default exclusions for that software. Other times you could tell them you will only add exceptions when no other acceptable solution to a given problem exists where a scanning exclusion is the answer. Their recommended exclusions are there to prevent having the AV discussions so they can move on to other troubleshooting efforts should issues come up.

Imposter Syndrome

Briefly, imposter syndrome is a lack of confidence in your own capabilities. This lack of confidence will make you feel like you are a fraud when you move into distinct roles because you don’t think you’re good enough for the role or task at hand. This is a feeling that can occur unexpectedly or after an unpleasant interaction at the workplace. This can easily lead to depression and prevent us from pursuing advancements in our careers.

Having a lack of confidence in your skillset often masks other good qualities that you may not realize. If you are feeling a lack of confidence, this also tells me that you are a very humble individual and that you pay attention to minor details. In my experience, I have also found that those going through this are very receptive to feedback and are willing to continue the never-ending pursuit of professional development.

Do not let the negative feelings take you over. Remember, we are always going to be students. We are a student in cyber security, a student in life. There are always opportunities for improvement in everything that we do. You are good enough, you will nail that interview, you will drop that shell, you will pass that exam!

Obstacles In Your Path Define The Path

Cyber security is a critical component to the success of an organization. You are there to help lower the likelihood of an organization being impacted by a security breach. To accomplish this, we are often involved in a wide variety of projects, both IT and non-IT related.

Despite having such an important role, some project teams will do everything they can to avoid involving security. This can occur for a number of reasons, but one of the top contenders is that we are often seen as difficult to work with and can be misconstrued as a contributor to a project delay. There are a number of reasons why our actions cause others to avoid us, but a lot of it comes down to our ability to communicate effectively.

Imagine a project team has taken months worth of resources to implement an environment that provides a benefit for the organization or the local community. You get wind of the go-live and go on a warpath because you haven’t been involved. You identify the servers and tear them apart and halt production due to the number of insecure configurations. You put together an email illustrating your displeasure and called out the negligence of the project team for not involving you from day one.

In our minds, we’re doing our jobs and may have indeed prevented a future incident, but you have also just damaged your relationship with the people involved with the project. The more frustrated we get, the more often our responses will explode and the more damage we’ll do to ourselves.

No matter when we’re involved in a new project, we are usually going to identify something that could be improved; we’re a necessary obstacle in that sense. When you’re a resource that no one wants to work with, they will avoid you. The path forward from here is to understand that what is done is done. However, there’s still an opportunity for improvement to prevent it from happening again. If you’re really upset, avoid electronic communications. You may indirectly inject tone and it could be misinterpreted. Instead, talk to the project lead and see if there is a way they can add to their standard project checklist to ensure that security is involved or at least aware early on about an ongoing project.

Mending Your Mind

I have mentioned it before, but nothing good will come out of an emotionally driven response to conflict. This is true professionally as well as personally. We have all been there and have made mistakes because of this. You may have heard of the phrase, “Do not wear your heart on your sleeve”, while I agree and disagree to a point. Where I disagree with this is that we need to be aware of our emotions as we approach conflict, and we cannot be aware of them if we try to shelter them away from view, even from ourselves. Whether we acknowledge it or not, our mind and body will tell us when something has upset us. As we become more aware of the conditions that will upset us, the more we will be better prepared for those scenarios when they occur.

If you do not know how to prepare for those scenarios, that is ok, it is something that you will learn in time. One of the ways that I learned to mend my mind through conflict is by helping people. Whether that is through our community here helping people through their courses or harassing you all with pictures of food.

Just know that you are not alone in this fight, and we are all in this together.

Be The Resource

You have all heard me say time over time that opinions are based on experiences and if someone has a different opinion than you it is because they have experienced something different than you. This community has students and professionals alike that have varying levels of experiences and different perspectives that come with those experiences; it is a never-ending resource of professional development opportunities. I would like for us all to take advantage of this and tap into this expansive pool of resources.

I am issuing a #BeTheResource challenge to all of you. What this challenge entails is for you to go to our Discord Server in our #fitness-mental-health channel and talk about a mentally difficult challenge that you have experienced and what you would recommend to your peers to overcome that challenge.

For the next week, I will be reading all these posts and will pick two individuals from those posts that will receive a PEN-300 course voucher as my way of saying thank you for sharing your story and giving back to your peers.

I want this week to be full of positive vibes and different perspectives on how we can improve our mental state. Life is a journey that we are all taking a part in together and the more we help each other the better off we will all be.

About the Author

Tristram is one of our OffSec Community Moderators and an avid blue team leader helping to secure the healthcare industry. While most students come to Offensive Security looking to sharpen their skills as penetration testers, Tristram leverages these same teachings in order to identify gaps and validate existing controls to be a more efficient blue teamer. Being a blue teamer introduces a different set of challenges as the more efficient you are with securing an enterprise network, the more battles you’ll tend to face with the staff that is impacted by those same controls. It’s his goal to take those lessons learned and impart them to those looking to follow the same path. You can find more resources from Tristram on GitHub or by reaching out to him on Discord or Twitter (@JDTristram).